Tool for creating, configuring and managing Wireguard network and NFTables traffic filtering system using web-interface.
- Wireguard — modern, fast and secure communication protocol.
- NFTables — Linux kernel subsystem providing filtering network connections.
Access to the web management interface is provided within the created network. Access control of the device (wireguard peer) and the user with the role of "manager" associated with this device (time-based one-time password authentication).
Create, modify, delete users, their devices, manage the list of ip-addresses allowed to access the server via ssh.
Access protocol: http over tcp/ip
, connection encryption is provided by the Wireguard protocol.
Available by default at http://172.16.0.1
, can be changed during installation.
Access protocol: http over unix-socket
After installation in the system, the wgn_managercli
command is available in the server console.
~$ wgn_managercli wgcfg
-unix-socket
path (default "/tmp/wgmanager.sock")
Adding a new user (if you pass the parameter is_manager=true, the user will be created with the role of manager and a qr-code will be displayed to quickly import the totp key into the mobile device)
~$ wgn_managercli user-create
-is_manager
is manager flag (default "false")
-name
name
-unix-socket
unix-socket (default "/tmp/wgmanager.sock")
~$ wgn_managercli user-edit
-is_manager
is manager flag
-name string
name
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
-uuid string
user uuid
~$ wgn_managercli user-remove
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
-uuid string
user uuid
~$ wgn_managercli user
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
-uuid string
user uuid
~$ wgn_managercli users
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
Adding a new user device (if you do not pass the wg_pubkey parameter, the keys will be generated and a qr-code will be displayed to quickly import the wireguard-configuration into the mobile device)
~$ wgn_managercli device-create
-label string
label
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
-user_uuid string
user uuid
-wan_forward
allow ip forwarding (default "false")
-wg_pubkey string
wireguard public key (optional)
~$ wgn_managercli device-edit
-ip string
device ip
-label string
label
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
-wan_forward
wan_forward
-wg_pubkey string
wireguard public key
~$ wgn_managercli device-remove
-ip string
device ip
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
~$ wgn_managercli device
-ip string
device ip
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
~$ wgn_managercli devices
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
~$ wgn_managercli trust-ipset-add
-ip string
device ip
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
~$ wgn_managercli trust-ipset-remove
-ip string
device ip
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
~$ wgn_managercli trust-ipset
-unix-socket string
unix-socket (default "/tmp/wgmanager.sock")
Database initialization with the list of ip-addresses allowed for remote access to the server via ssh. (used in the server installation process before the first start of the service)
~$ wgn_bootstrap-trust-ipset
-dbpath string
dbpath
-trustip value
device ip
Requirements:
- Wireguard
- NFTables
the service can be run in a docker container or installed to run on the system.
- download tool to initialize the service database
~$ curl -L -o ./wgn_bootstrap-trust-ipset "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgn-bootstrap-trust-ipset_linux_amd64"
~$ chmod +x ./wgn_bootstrap-trust-ipset
- initialize the database with your ip-address, which will be added to the list of allowed remote access via ssh protocol when you start the service
~$ mkdir /usr/local/boltdb/
~$ TRUSTIP=`last -1w | grep $USER | awk '{ print $3 }'`
~$ ./wgn_bootstrap-trust-ipset -dbpath="/usr/local/boltdb/wgnetwork.db" -trustip="$TRUSTIP"
- turn on ip_forward
~$ sed -i -e '/^#net.ipv4.ip_forward/s/^.*$/net.ipv4.ip_forward=1/' /etc/sysctl.conf
~$ sysctl -p
- start the service container
~$ SESSION_SECRET=`cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-20} | head -n 1`
~$ docker run \
-e LOG_LEVEL="info" \
-e DB_PATH="/wgnetwork.db" \
-e WG_BINARY="/usr/bin/wg" \
-e WG_PORT="51820" \
-e WG_CIDR="172.16.0.1/24" \
-e FE_HTTP_PORT="80" \
-e API_HTTP_PORT="8080" \
-e OTP_ISSUER="wgnetwork" \
-e SESSION_SECRET="$SESSION_SECRET" \
-e SESSION_TTL="5m" \
-e NFT_ENABLED="true" \
-e NFT_DEFAULT_POLICY="drop" \
-e NFT_TRUST_PORTS="22" \
--network host \
--cap-add NET_ADMIN \
--volume /usr/bin/wg:/usr/bin/wg \
--volume /usr/local/boltdb/wgnetwork.db:/wgnetwork.db \
--restart always \
--name wgnetwork \
-d zyablitsev/wgnetwork
- create the first user with the role of "manager" and register the device
IMPORTANT: access to the management web-interface is possible only from the devices of users with the role of "manager"
~$ docker exec wgnetwork \
/wgn_managercli user-create -name="admin" -is_manager="true"
scan the qr-code into your authentication application (e.g. Google Authenticator), the totp code is required to authenticate the user in the management interface.
~$ docker exec wgnetwork \
/wgn_managercli device-create --label="mobile" --user_uuid="INSERT_VALUE"
the configuration for your device will be generated, add it to your Wireguard client.
Activate the tunnel created in wireguard and you will be able to access the management web interface using totp code from the authentication program to authorize at http://172.16.0.1
- install required system packages
~$ apt-get update -y
~$ apt-get upgrade -y
~$ apt-get install -y ca-certificates curl nftables wireguard
- turn on ip_forward
~$ sed -i -e '/^#net.ipv4.ip_forward/s/^.*$/net.ipv4.ip_forward=1/' /etc/sysctl.conf
~$ sysctl -p
- add system user wgnetwork
~$ useradd --system \
-M \
--user-group \
--shell /sbin/nologin \
wgnetwork
- download binaries
~$ curl -L -o /usr/local/bin/wgn_bootstrap-trust-ipset "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgn-bootstrap-trust-ipset_linux_amd64"
~$ chmod +x /usr/local/bin/wgn_bootstrap-trust-ipset
~$ chown wgnetwork:wgnetwork /usr/local/bin/wgn_bootstrap-trust-ipset
~$ curl -L -o /usr/local/bin/wgn_managercli "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgn-managercli_linux_amd64"
~$ chmod +x /usr/local/bin/wgn_managercli
~$ chown wgnetwork:wgnetwork /usr/local/bin/wgn_managercli
~$ curl -L -o /usr/local/bin/wgnetwork "https://github.com/zyablitsev/wgnetwork/releases/download/v0.0.1/wgnetwork_linux_amd64"
~$ chmod +x /usr/local/bin/wgnetwork
~$ chown wgnetwork:wgnetwork /usr/local/bin/wgnetwork
~$ setcap cap_net_admin,cap_net_bind_service+eip /usr/local/bin/wgnetwork
- create service environment variables configuration
~$ WG_BINARY=`which wg`
~$ SESSION_SECRET=`cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-20} | head -n 1`
~$ cat <<EOF > /etc/default/wgnetwork
LOG_LEVEL="info"
DB_PATH="/usr/local/boltdb/wgnetwork.db"
WG_BINARY="$WG_BINARY"
WG_PORT="51820"
WG_CIDR="172.16.0.1/24"
FE_HTTP_PORT="80"
API_HTTP_PORT="8080"
API_UNIX_SOCKET="/tmp/wgmanager.sock"
OTP_ISSUER="wgnetwork"
SESSION_SECRET="$SESSION_SECRET"
SESSION_TTL="5m"
NFT_ENABLED="true"
NFT_DEFAULT_POLICY="drop"
NFT_TRUST_PORTS="22"
EOF
~$ chown root:root /etc/default/wgnetwork
~$ chmod 0644 /etc/default/wgnetwork
- create a systemd service configuration description
~$ cat <<EOF > /lib/systemd/system/wgnetwork.service
[Unit]
Description=WGNetworkService
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/wgnetwork
[Service]
WorkingDirectory=/usr/local/
User=wgnetwork
Group=wgnetwork
EnvironmentFile=/etc/default/wgnetwork
ExecStart=/usr/local/bin/wgnetwork
# Let systemd restart this service always
Restart=always
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no
[Install]
WantedBy=multi-user.target
EOF
~$ chown root:root /lib/systemd/system/wgnetwork.service
~$ chmod 0644 /lib/systemd/system/wgnetwork.service
- initialize the database with your ip-address, which will be added to the list of allowed remote access via ssh protocol when you start the service
~$ mkdir /usr/local/boltdb/
~$ TRUSTIP=`last -1w | grep $USER | awk '{ print $3 }'`
~$ wgn_bootstrap-trust-ipset -dbpath="/usr/local/boltdb/wgnetwork.db" -trustip="$TRUSTIP"
~$ chown wgnetwork:wgnetwork /usr/local/boltdb
~$ chmod 0700 /usr/local/boltdb
~$ chown wgnetwork:wgnetwork /usr/local/boltdb/wgnetwork.db
~$ chmod 0600 /usr/local/boltdb/wgnetwork.db
- run service
~$ systemctl enable nftables.service
~$ systemctl enable wgnetwork
~$ systemctl start nftables.service
~$ systemctl start wgnetwork
- create the first user with the role of "manager" and register the device
IMPORTANT: access to the management web-interface is possible only from the devices of users with the role of "manager"
~$ wgn_managercli user-create -name="admin" -is_manager="true"
scan the qr-code into your authentication application (e.g. Google Authenticator), the totp code is required to authenticate the user in the management interface.
~$ wgn_managercli device-create --label="mobile" --user_uuid="INSERT_VALUE"
the configuration for your device will be generated, add it to your Wireguard client.
Activate the tunnel created in wireguard and you will be able to access the management web interface using totp code from the authentication program to authorize at http://172.16.0.1
Limitations: Debian 11 (bullseye)
- open terminal and run:
~$ apt-get install -y ca-certificates curl
~$ bash <(curl -s "https://raw.githubusercontent.com/zyablitsev/wgnetwork/main/stuff/install.sh")
- create the first user with the role of "manager" and register the device
IMPORTANT: access to the management web-interface is possible only from the devices of users with the role of "manager"
~$ wgn_managercli user-create -name="admin" -is_manager="true"
scan the qr-code into your authentication application (e.g. Google Authenticator), the totp code is required to authenticate the user in the management interface.
~$ wgn_managercli device-create -label="laptop" -user_uuid="INSERT_VALUE" -wan_forward="false"
the configuration for your device will be generated, add it to your Wireguard client.
Activate the tunnel created in wireguard and you will be able to access the management web interface using totp code from the authentication program to authorize at http://172.16.0.1
Requirements:
- go 1.19+
- node 16.14+
- clone repository
~$ git clone [email protected]:zyablitsev/wgnetwork.git
- get dependencies
~$ make install-dependencies-fe
- run build
~$ BIN_DIR=./bin/ make build
- build docker-image
~$ make docker-build
~$ make test